On May 6, 2022, global agricultural equipment manufacturer and distributor AGCO announced they were victims of a ransomware attack.
The cyber assault hit some of their production facilities on May 5. Restoring operations to normal will take several or more days.
While the culprits of the IT system incursion are currently unknown, The National Law Review believes the assault was politically motivated:
“This attack is likely a result of a recent donation to a Ukrainian relief fund. The day before this attack, AGCO Agriculture Foundation donated $50,000 to the BORSCH initiative, which assists Ukrainian farming communities affected by the war with Russia.”
AGCO’s experience is relevant to organizations of every size and industry vertical because we all have one thing in common: we use IT systems connected to the Internet. And everything linked to the Internet is hackable.
We’ll explore what happened and the Four Primary Ways organizations make themselves vulnerable to ransomware attacks. We’ll also share best practices to decrease the chances of becoming a victim.
The AGCO Ransomware Attack Backgrounder
AGCO has an international footprint and owns tractor and farm equipment brands like Challenger, Massey Ferguson, Fendt, and Valtr. Each company serves markets all over the globe.
As reported in The Register, the drama started with a server shutdown in Beauvais, north of Paris, where Massey Ferguson has tractor production lines. Management sent assembly line workers home because nobody could reach the server.
AGCO’s Fendt brand suffered similar discord when the IT outage extended to their Bavarian production facilities.
While there is never a convenient time for a production shut down, the summer planting season is underway, and farmers need AGCO equipment to meet the demands of a global food supply chain.
And the world is already facing enough supply shortages, so the situation is dire!
Potential Cause #1 – AGCO Ransomware Attack
A phishing email may be a potential cause of the AGCO ransomware attack.
According to Verizon, 96% of phishing attacks arrive through email, where users are tricked into clicking on links within email messages or email attachments. This trend is problematic because it’s a human nature dilemma versus a technology problem.
Somebody at AGCO may have been multi-tasking and unwittingly took the bait. Comparitech notes, “97% of users cannot identify phishing emails.”
Imagine juggling message streams from three different Teams groups while Teams chat, your desk phone, and your cellphone light up with incoming messages and alerts. This scenario is familiar to everyone in 2022.
Is it any wonder ransomware emails are slipping by people with compromised attention spans?
Potential Cause #2 – AGCO Ransomware Attack
Remote Desktop Protocol or RDP may have created an opening for the AGCO ransomware attack.
In “Diagnosing the Ransomware Deployment Protocol (RDP),” Palo Alto Networks states, Remote Desktop Protocol (RDP) is the most prevalent initial ransomware attack vector and has been for years.”
RDP is a Microsoft Windows protocol that enables administrators and users to remotely access and control IT systems located somewhere else. For example, until 2012, I used RDP when working from home to access a file server and Microsoft Exchange at my old office five miles away.
RDP is also used to access virtual machines (VMs) and manage cloud assets.
RDP uses Transmission Control Protocol (TCP) port 3389 to create an encrypted channel. Unfortunately, RDP ports are easy to misconfigure.
To add intrigue to misfortune, cyber threat actors (CTAs) can go online and find a directory of port 3389 openings. This is the same as publishing a listing of houses with unlocked doors.
Once CTAs gain access to a network, they can move laterally across a target company’s digital estate as administrators – stealing proprietary information, encrypting data, and shutting down services.
Learn More: Remote Desktop Protocol Security Primer
Potential Cause #3 – AGCO Ransomware Attack
Drive-by downloads from compromised websites may have led to the AGCO ransomware attack.
Trend Micro defines a drive-by download as “…the unintentional download of malicious code onto a computer or mobile device that exposes users to different types of threats. Cybercriminals use drive-by downloads to steal and collect personal information, inject banking Trojans, or introduce exploit kits or other malware to endpoints, among many others.”
Web surfers are instantly susceptible to drive-by downloads and don’t need to click on anything to get infected. Threat actors put malicious code on websites, and victims are almost always unaware that malicious files (malware) are on their computers.
Malware is all over the place. Security Week has some startling observations:
- 5 million websites have malware at any time.
- The average website gets attacked 44 times every day.
With all of this dynamic activity, everyone and every website is a moving target.
Potential Cause #4 – AGCO Ransomware Attack
Using removable media and USB devices may have caused the AGCO ransomware attack.
If you plug a storage device or a thumb drive into one of the USB ports on your laptop, your entire corporate network can be compromised if the plug-ins contain malware.
For instance, you may use a data backup appliance at home and create assets you wish to upload to your office PC. If your home computer has malware, the backup device provides an open door into your company’s IT systems.
Your device can also be infiltrated if you use public USB charging stations. The FCC calls the practice Juice Jacking. This tactic allows cybercriminals to load malware onto your cellphone and laptop as they charge.
What to Do Now to Lower Your Ransomware Risk
We will keep you posted on the outcome of the investigation since the jury is still out on the ultimate cause or causes of the AGCO ransomware attack.
Until then, the FBI recommends the following general guidelines:
- Keep operating systems, software, and applications current and up to date.
- Make sure anti-virus and anti-malware solutions are set to automatically update and run regular scans.
- Back up data regularly and double-check that those backups are completed.
- Secure your backups. Ensure they are not connected to the computers and networks they are backing up.
- Create a continuity plan in case your business or organization is the victim of a ransomware attack.
Integris recommends the following specific guidelines:
- Require every employee to use a password manager.
- Implement Multi-Factor Authentication right away.
- Initiate Cybersecurity Awareness Training as soon as possible.
- Consult with a Chief Information Security Office or “vCISO” who can help assess if your IT systems fit the correct compliance framework for your industry.
To learn more, visit vCISO Consulting from Integris.